Can you attain GDPR compliance with a tech quick fix?

Toni Sekinah, research analyst and features editor, DataIQ

1st August 2017

With 25th May 2018 less than ten months away, there are still some organisations that are blissfully unaware of the General Data Protection Regulation (GDPR) and its consequences. On being informed that breaching the regulation after the aforementioned date carries stiff penalties, the first question may be, “what is the bare minimum that needs to be in place?” In fact, these were the exact words of a conference attendee after privacy expert Sheila FitzPatrick warned the audience of complacency about GDPR at Tealium’s Digital Velocity event. Such words typify a person who is looking for a quick fix.

Unfortunately, that doesn’t exist because GDPR is a multifaceted regulation. Nathaniel Wallis, security sales specialist at Axial Systems, told DataIQ: “There isn’t an easy or a quick fix for GDPR because it can’t be fixed by technology solely.” He explained that a complete solution would have a legal aspect, a security aspect and an aspect that deals with processes in the organisation.

However, some vendors dealing with just one of those aspects are promising GDPR compliance with the use of their products. “Security vendors that are looking to solve one aspect of it and are saying that they are going to make you GDPR compliant? That’s not correct,” he said. The reason for this is that technology is never going to improve the way processes are done internally and get them up to Regulation standard - this is something that organisations need to look at and evaluate themselves.

It is not just the security sector in which tech solutions providers are promising GDPR compliance. The description of one marketing tech solution exemplified how important it is to look closely at the wording of what is being offered. It has the tag line, “all the technical support needed for GDPR compliance.” Elsewhere in the FAQs about the product, the company said it is designing the solution “to cope as far as possible with this new legislative challenge.” The director then clarified in an email that his company sees itself as “providing technological support for GDPR.” In this case, one might be led to believe that GDPR compliance is a guaranteed result of using the product.

Perhaps a lack of clarity around the terms is leading to vendors promising compliance when they shouldn’t. Bill Burns, chief trust officer at Informatica, said to DataIQ that privacy is frequently confused with security. “The two are tightly interrelated. Privacy and data protection laws, those encompass security,” he said. Informatica offers the Axon Data Governance solution which helps other companies to attain GDPR compliance by “closing the data governance functionality gap”. However, Burns clearly stated that Axon alone would not make a company compliant with GDPR stipulations.

“There is no panacea, there is no silver bullet. A product like Axon will help you describe where your risk is, but it won’t be able to fix a problem in training or poor policy. So, it is part of an overall solution, it is not something where you drop this in and you are GDPR compliant,” said Burns.

FitzPatrick told the conference audience in June that she had noticed an explosion in self-appointed GDPR experts immediately after the regulation was ratified and was baffled as to “how these companies, that knew nothing about privacy laws last April, became GDPR experts overnight.” She also said that companies will approach her and say, “if you buy our tools and technology, we’ll guarantee you’re GDPR compliant.”Her response is to ask them what they know about security and privacy and request that they explicitly detail what their privacy policy is.

Wallis also advocated scrutinising any company that is offering a tech solution and viewing the offerings with a sceptical eye. “Don’t just trust what everyone in the marketplace is telling you. Go out and do your own research,” he recommended. Wallis and Burns were both of the view that it is essential to take a company-wide approach to becoming compliant and embedding the key principles of data privacy in the fabric of the organisation.

Burns stated: “Axon is definitely part of an effective technical control, but those controls are only as good as the policies and the procedures and the training you wrap around it from an overall governance perspective.” He added it is important to train employees so that they know what to do, what they are responsible for and how to report anything anomalous in relation to data protection.

Wallis explained that, before starting to work with Axial, his clients will usually have already gone through the process of hiring a data protection officer who would have looked at how the company is working with regard to data governance. He and his colleagues will then start inserting different technologies and services in the organisation.

In response to the question about the bare minimum to have in place for GDPR, FitzPatrick told the attendee that he was thinking about it the wrong way. She said: “You have to go in with the idea that we’re going to do as much as we humanly and technically can before May 25th.” She did, however, say that it is imperative to have a data privacy framework in place and a privacy programme built before then.

“You need to understand what data you collect, where you’re collecting it from, you need to look at what your consents are, your data privacy agreements with 3rd parties,” she said. According to the privacy expert, there is no "at the very least" quick fix when it comes to data protection.